Attacker can inject JavaScript codes without Ajenti privileges by this vulnerabillity.Normally an attacker cant intervene to Ajenti without Ajenti privileges.But with this vulnerability, if attacker can create a folder (may be by a web app vulnerability) he can runbad-purposed JavaScript codes on Ajenti user's browser, while the user using File Manager tool.So this vulnerability makes high risk.

[~] How to Reproduce:1)- Create a directory as named xss payload. Like, im<img src onerror=alert(1337)>dir2)- Open this directory in File Manager tool in Ajenti server admin panel.